beim Thema SSO und OTRS gibt es bereits sehr viele Einträge hier und ich habe auch versucht mir alle durchzulesen bevor ich nun selbst dieses Topic aufmachen wollte. Wir haben noch OTRS 3.3.11 im Einsatz (Windows Installer) auf einem IIS und daher in einer Windowsdomäne recht einfach mittels SSO authentifiziert. Wir möchten jedoch, auch aus Sicherheits- und Performancegründen auf die aktuelle 4.0.11 wechseln. Da es keinen direkten Windows-Support mehr gibt haben wir ein Ubuntu 14.04.2 LTS Server aufgesetzt und OTRS installiert.
Installation, Datenbank, alles kein problem, lief auch, und das, im Vergleich zur Windows-Variante, performanter.
Nun möchten wir jedoch weiterhin SSO haben. Ich habe hier mal Code-Beispiele eingefügt wie wir was eingestellt haben. Wenn ihr noch weiteres braucht, kommt schnellstmöglich. Vielen Dank auch schon im Vorraus für eure Zeit zum helfen.
__
Nun zur Konfiguration: Auf dem Windows 2012R2 DC folgenden Keytab erstellt:
Code: Select all
ktpass -princ HTTP/otrs.domain.local@DOMAIN.LOCAL -mapuser apacheotrs@DOMAIN.LOCAL -crypto RC4-HMAC-NT ptype KRB5_NT_PRINCIPAL -mapop set –pass password -out "C:\Users\Administrator\Downloads\apache\keytab2.http"Rechte: 0777
Nach der Installation des Kerberos-Paketes und a2enmode für Kerberos, Http_basic, ldap,... haben wir die /etc/krb5.conf angepasst
Code: Select all
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
default_keytab_file = /etc/kerb/keytab2.http
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.LOCAL = {
kdc = dc01.domain.local:88
admin_server = dc01.domain.local:749
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Code: Select all
kinit -VV -k -t /etc/kerb/keytab2.http HTTP/otrs.domain.local@DOMAIN.LOCAL
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/otrs.domain.local@DOMAIN.LOCAL
Using keytab: /etc/kerb/keytab2.http
Authenticated to Kerberos v5
Code: Select all
Meine otrs.conf für Apache:
# --
# added for OTRS (http://otrs.org/)
# --
ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"
<IfModule mod_perl.c>
# Setup environment and preload modules
Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl
# Reload Perl modules when changed on disk
PerlModule Apache2::Reload
PerlInitHandler Apache2::Reload
# general mod_perl2 options
<Location /otrs>
# ErrorDocument 403 /otrs/customer.pl
ErrorDocument 403 /otrs/index.pl
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
Options +ExecCGI
PerlOptions +ParseHeaders
PerlOptions +SetupEnv
# <IfModule mod_version.c>
# <IfVersion < 2.4>
# Order allow,deny
# Allow from all
# </IfVersion>
# <IfVersion >= 2.4>
# Require all granted
# </IfVersion>
# </IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
</Location>
# mod_perl2 options for GenericInterface
<Location /otrs/nph-genericinterface.pl>
PerlOptions -ParseHeaders
</Location>
</IfModule>
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory "/opt/otrs/bin/cgi-bin/">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Kerberos
AuthName "OTRS"
Krb5Keytab /etc/kerb/keytab2.http
KrbAuthRealm DOMAIN.LOCAL
KrbMethodNegotiate on
KrbSaveCredentials on
KrbMethodK5Passwd on
KrbServiceName HTTP
Require valid-user
KrbLocalUserMapping on
</Directory>
<Directory "/opt/otrs/var/httpd/htdocs/">
AllowOverride None
<IfModule mod_version.c>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
Order allow,deny
Allow from all
</IfModule>
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>
# Make sure CSS and JS files are read as UTF8 by the browsers.
AddCharset UTF-8 .css
AddCharset UTF-8 .js
# Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
AddType application/font-woff .woff
</Directory>
<IfModule mod_headers.c>
# Cache css-cache for 30 days
<Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
<FilesMatch "\.(css|CSS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>
# Cache css thirdparty for 4 hours, including icon fonts
<Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
<FilesMatch "\.(css|CSS|woff|svg)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
# Cache js-cache for 30 days
<Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>
# Cache js thirdparty for 4 hours
<Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
</IfModule>
# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000
(IE und Chrome bringen HTTP 500 / Firefox gibt Standardmäßig keine Benutzerdaten weiter, daher die Eingabe)
Mit Firefox verschiedene Einstellungen geprüft und folgendes aus dem Apache-Log.
Code: Select all
[Tue Aug 11 13:53:04.526663 2015] [authz_core:debug] [pid 4143] mod_authz_core.c(802): [client 192.168.xx.xx:52831] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Aug 11 13:53:04.526714 2015] [authz_core:debug] [pid 4143] mod_authz_core.c(802): [client 192.168.xx.xx:52831] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Aug 11 13:53:04.526733 2015] [auth_kerb:debug] [pid 4143] src/mod_auth_kerb.c(1652): [client 192.168.xx.xx:52831] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Aug 11 13:53:10.493045 2015] [authz_core:debug] [pid 4167] mod_authz_core.c(802): [client 192.168.xx.xx:52832] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Aug 11 13:53:10.493091 2015] [authz_core:debug] [pid 4167] mod_authz_core.c(802): [client 192.168.xx.xx:52832] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Aug 11 13:53:10.493109 2015] [auth_kerb:debug] [pid 4167] src/mod_auth_kerb.c(1652): [client 192.168.xx.xx:52832] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Aug 11 13:53:10.493431 2015] [auth_kerb:debug] [pid 4167] src/mod_auth_kerb.c(1011): [client 192.168.xx.xx:52832] Using HTTP/otrs@ as server principal for password verification
[Tue Aug 11 13:53:10.493454 2015] [auth_kerb:debug] [pid 4167] src/mod_auth_kerb.c(715): [client 192.168.xx.xx:52832] Trying to get TGT for user username@DOMAIN.LOCAL
[Tue Aug 11 13:53:10.524946 2015] [auth_kerb:debug] [pid 4167] src/mod_auth_kerb.c(626): [client 192.168.xx.xx:52832] Trying to verify authenticity of KDC using principal HTTP/otrs@
[Tue Aug 11 13:53:10.540461 2015] [auth_kerb:debug] [pid 4167] src/mod_auth_kerb.c(669): [client 192.168.xx.xx:52832] krb5_rd_req() failed when verifying KDC
[Tue Aug 11 13:53:10.540500 2015] [auth_kerb:error] [pid 4167] [client 192.168.xx.xx:52832] [u][b][i]failed to verify krb5 credentials: Wrong principal in request[/i][/b][/u]
Auch hier die otrs-Config.pm:
Code: Select all
...
#-------- LDAP SSO ------------------------------#
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth';
$Self->{'Customer::AuthModule::HTTPBasicAuth::Replace'} = 'DOMAIN\\';
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMAIN.LOCAL';
#-------LDAP Backend Config --------------------#
$Self->{CustomerUser} = {
Name => 'LDAP Datenquelle',
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
SourceCharset => 'utf-8',
Host => 'dc01.domain.local',
BaseDN => 'dc=domain,dc=local',
SSCOPE => 'sub',
UserDN => 'cn=OTRS,OU=XXXXXX,dc=domain,dc=local',
UserPw => 'password',
SourceCharset => 'utf-8',
DestCharset => 'utf-8',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
# [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
# [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
};
...
P.S.:
Die Dateien
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
sind leer, es erscheint keine Eintragung.´
In einem anderen Thread las ich man sollte einen keytab anlegen für die krb5.conf:
Code: Select all
ktpass -princ HOST/otrs@domain.local@DOMAIN.LOCAL -mapuser apacheotrs@DOMAIN.LOCAL -crypto DES-CBC-MD5 -DesOnly -pass password
-ptype KRB5_NT_SRV_HST -out "C:\Users\Administrator\Downloads\apache\2krb5.keytab"